The ECB-SSM discloses the supervisory practices related to recovery planning and sets the way forward: The operationalization of recovery planning – what now?

by Dentons
Contact

Dentons

Quick Take: More clarity—or more confusion—on what the European Central Bank, acting in its Single Supervisory Mechanism capacity (the ECB-SSM), expects?

The ECB-SSM’s July 2018 Report1 summarizes the supervisory lessons learned and best practices identified in the first three recovery planning cycles since the creation of the ECB-SSM for credit institutions, i.e. banks. This will be of particular interest for those Banking Union Supervised Institutions (BUSIs) classified as significant credit institutions (SCIs). Importantly, as assessed in this Client Alert, the Report also alludes to what has been known as the most significant and overdue next step for the ECB-SSM in relation to recovery planning—the “operationalization” of Recovery Plans in making them more concise, usable and operational.

Regulatory requirements

Recovery planning for financial services can be defined as an ongoing exercise to ensure that the institution has appropriate contingencies in place to respond to a significant stress while remaining a going concern. Recovery options are defined as “…the measures that a bank can take in order to restore its financial position in a crisis situation.”

The regulatory requirements on recovery planning for the EU’s banking sector are set out in the Banking Recovery and Resolution Directive (BRRD)2 and are complemented by the relevant technical standards in the form of the EU’s Commission Delegated Regulation3 and the European Banking Authority (EBA) Guidelines.4 The BRRD applies EU-wide but the ECB-SSM, together with the Single Resolution Board, act as the institutional “pillars” in the Banking Union and are in charge of how BRRD is applied to SCIs in recovery but also resolution.

The ECB-SSM Report provides more color on the practical supervisory application of these pieces of legislation and highlights “best practices” applied by those that the ECB-SSM considers as “best in class” SCIs in terms of their Recovery Plans. As the formal documents constituting a “Recovery Plan” are created by BUSIs and reviewed by the supervisors, additional publicly available guidance for BUSIs as to the standard expected from these documents is certainly welcome. Whilst the Report, in keeping with other ECB-SSM “Guides” that really read more like rules, the Report sets out supervisory expectations by stating: 

“The report does not aim to impose additional requirements on banks. However, it makes reference to specific requirements set by the Bank Recovery and Resolution Directive (BRRD), the relevant Commission Delegated Regulation and European Banking Authority (EBA) guidelines. The ECB expects banks to comply with all these requirements in line with the law.”

So who might be interested? Besides the impact on SCIs as the direct addressees of the scope of the Report, it will likely be of interest to non-SCI BUSIs. This is especially likely to be the case, as what happens in respect of supervisory expectations set in respect of SCIs are often subsequently rolled-out and mirrored in relation to those other BUSIs that are not SCIs. In addition to the rolling-out, the Report may also be of interest to non-Banking Union credit institutions or third-country (i.e. non-EU) equivalent types of firms who might choose to apply similar measures. 

So how will this affect SCIs? SCIs are directly supervised by the ECB-SSM. This shift will most likely mean a significantly higher level of scrutiny over the feasibility of execution of the recovery options, both in terms of a conceptual challenge of the assumptions put forward by the banks in their Recovery Plans (for which the best practices identified by the Report may be used as a guide), and, in a more unprecedented way, which is where the operationalization part comes in, whether the internal governance and operational capacity would allow the option to be exercised. The Report suggests using non-mandatory measures to improve operationalization such as using a “Playbook” or steps plan as well as performing dry-run exercises. Some of this design and embedding will require cross-enterprise input plus support from external legal counsel.

So how have SCIs done? Supervisory requirements and best practices

In its Report, the ECB-SSM identified a number of shortcomings in the SCI’s compliance with recovery planning requirements set out in legislation:

  1. Presentation of recovery options: The relevant firms did not discuss the recovery options exhaustively and provided incomplete impact and feasibility assessments. Certain firms have not given significant consideration to the breadth of recovery options presented in plans and the nature of the firms’ business, size and interconnectedness to the financial system. SCIs were encouraged to consider a broader range of recovery options in their Recovery Plans, and the Report provides examples of which elements to include when presenting recovery options as well as elements that SCIs could consider in a feasibility assessment of the options (see below). This also extends to reviewing and considering feasibility of as well as the recovery options themselves in light of cyber-resilience.5
  2. Misstatement of the recovery capacity: Another common flaw was an overstatement of the institutions’ own recovery capacity, which is defined as the extent to which a firm could restore its financial position following a significant deterioration of its financial situation.
  3. Inadequate indicator frameworks: The ECB-SSM also identified a lack of robustness in the indicator frameworks, which can include, among others, capital, liquidity, operational or macroeconomic indicators as well as inadequate consideration of the supervisory dialogue flowing from the ECB-SSM administered Supervisory Review and Evaluation Process (SREP)6 or the extent of asset encumbrance generally as well as impact of non-performing exposures and loans (NPLs) specifically. SCIs are also encouraged to start including the minimum requirement for own funds and eligible liabilities (MREL) indicator in their Recovery Plans and at the latest when MREL becomes binding and applicable to them.

1. Presentation of recovery options

In terms of presentation of recovery options, the ECB-SSM pointed out the need by institutions to improve their compliance with Article 19 of the Commission Delegated Regulation, which requires an assessment of the feasibility of a timely and effective execution of the recovery option and the impact that the execution of the option would have on the firm and the financial system.

The feasibility assessment could be based on the SCI’s or its peers’ past experience, market intelligence and analysis of potential legal, operational, financial and other impediments to the exercise of the option. Analytical elements of the feasibility assessment include the potential market situation and dependence on third parties. The stated time required to realize the option should be justified, for example, by way of best practice, by breaking it down into specific actions and governance approvals required.

The impact assessment should be quantified and underpinned by adequate valuations, reflecting the marketability of assets under different conditions. As a good practice, the ECB-SSM identified providing valuations based on similar transactions conducted by the firm in the past or value achieved by peers in similar transactions. As an added value for the plan, the bank may also include a summary of the rationale for the selection of the recovery options in the plan and the reasons for rejection of other options. The reasoning may include capital and liquidity considerations.

2. Recovery capacity

In terms of overall recovery capacity (the ORC), the ECB-SSM has taken the view that banks overstated the common equity tier 1 (CET1) increase and improvement in the liquidity coverage ratio caused by the implementation of recovery options. A realistic assessment of the ORC should take into account the following factors:

  1. Mutual exclusivity of the options, greater considerations that some recover options are fully or partially mutually exclusive and may need to be executed successively; 
  2. Interdependencies between various recovery options, for example, cancelling dividends on CET1 or AT1 instruments may have a knock-on effect on subsequent CET1, AT1 or T2 issuances; 
  3. Capacity under idiosyncratic versus system-wide events, which may cause the recovery capacity to differ, depending on the scenario;
  4. Reputational effects, which may occur if multiple recovery options are executed at the same time, for example, if multiple subsidiaries are being disposed of;
  5. Operational capability, in particular when multiple options are executed in parallel, the SCI may not have the operational human and other resources to execute the various recovery options;
  6. Consequences for the business model, and the impact on the options on the long-term viability of the business model, especially following the execution of a combination of recovery options;
  7. Proper testing of the set of options, should take into account all of the available options allowing them to recover in a range of scenarios based on events and factors most relevant to the SCI;
  8. Optimizing for capital and liquidity crisis situations, such as distinguishing between the recovery capacity in solvency and liquidity-induced crises.

Another best practice identified was to list the potential recovery options under each stress scenario, and then distinguish between those that would be exercised in a recovery and those that would be triggered in a contingency situation. In a recovery scenario, the SCI would usually select the easy to achieve options, which are not disruptive to the business model and would not alert the market.

3. Recovery indicator frameworks

In terms of the recovery indicators used, the ECB-SSM observed that a number of SCIs did not use all of the mandatory indicators set out in the EBA Guidelines. The ECB-SSM also noted that the selected indicators did not always accurately match the bank’s risk profile. For example, almost 44 percent of a sample of 22 SCIs, which had incurred high operational losses in the past, did not include operational risk indicators in their recovery frameworks. The ECB-SSM’s supervisory expectations are clear that this gap must be rectified. Moreover, SCIs are also expected to calibrate the indicator thresholds appropriately, allowing the thresholds to be breached sufficiently early to provide the SCI with ample time to execute the recovery options before regulatory capital and liquidity requirements have been breached. The indicator framework should also be integrated in the business-as-usual risk management and aligned with the existing capital plan and liquidity contingency plan thresholds. 

As a result, SCIs are encouraged to be clearer in distinguishing between those measures that are part of (X) liquidity contingency plans and the business as usual environment and (Y) of the Recovery Plan.  Failure to categorize and distinguish which measures fit where, could, even if there are overlaps and a potential to progress from business-as-usual contingency measures to Recovery Planning, lead to double-counting and misrepresent the viability of the SCI, its road to recovery and the ORC.

Operationalization of Recovery Plans – Playbooks and Dry Runs

The Report stated that in the coming supervisory cycles the ECB-SSM will focus on the operationalization aspect of the plans, assessing the evidence that the recovery plan and the individual recovery options could be applied in times of stress. A chart7 showing the size of Recovery Plans by number of pages demonstrates the willingness to shift away from treating recovery planning as a compliance exercise to more meaningful documents, which can be incorporated into the SCI’s risk management. The issue concerning the current size of Recovery Plans was even identified in the Report as an impediment to the operationalization of recovery planning – i.e. it is difficult to prevent “too big to fail” if the SCI’s plan to do so is “too big to read”.

The operationalization would include so-called “Playbooks”, where the operational actions which would be taken by the senior management of the SCI are detailed as a steps plan of business process workflows, often in a more visual format. The Report describes these as a “concise implementation guide”. While there are no clear rules to how long and detailed a Playbook ought to be it will have to be detailed enough and clear to follow to act as the abridged version of a much longer Recovery Plan.

The Report also sets out examples of best practice content of Playbooks. Specifically it considers “good” Playbooks those that clearly set out:

  • The crisis management governance, including roles and responsibilities;
  • A swift and effective decision-making chains including pro forma documents as well as decision-making standing agenda points for recurring items as well as those that need to be taken in the first 48 hours of the Recovery Plan being triggered;
  • An overall escalation procedures;
  • A tabular overview of recovery options, which include figures or visual representations of costs, timelines to implementation, degree of impact on the SCI and the financial system, based on a red, amber and green measure as well as who is responsible for the execution of the relevant recovery option; and
  • A contact list with external and internal stakeholders, a communications plan as well as a list of impacted and relevant policies and procedures.

The creation and maintenance of a Playbook likely require dedicated support from internal and external stakeholders to make sure that both it and the Recovery Plan are maintained in a continuous fashion and are sufficiently accessible and clear for stakeholders and supervisors. It is also to be expected that the ECB-SSM will still require that senior management and key function holders are familiar with the contents of both the Playbook and the Recovery Plan. There will be no “free passes” awarded for reading just the “abridged” version of what in many cases will be the considerably longer opus.

Operationalization does not just end with Playbooks. The Report suggests, in keeping with existing EU rules and good practice on business continuity management, that SCIs undertake “dry runs” where parts of the Recovery Plan are tested. A dry run is a “live” simulation of the Recovery Plan being put through its paces to demonstrate whether the selected part of the Recovery Plan could be implemented in a crisis situation, to train staff and to identify areas for improvement.

The areas that can be tested include the decision-making procedures, the availability of information, operational aspects (for example the viability of the decision-making timelines) and communication strategies. Dry runs are particularly applicable for scenarios such as IT failures or cyberattacks. The ECB’s recommendations for conducting dry runs include ensuring the involvement of the bank’s management body, clearly defining the scope of the exercise, adequate preparation, including setting out detailed assumptions, informing everyone involved that a dry run will take place, as well as setting realistic timelines, corresponding to a stress situation.

These exercises will not be mandatory, and other approaches will be permitted for SCIs to demonstrate that their Recovery Plans could be used in stress but it is conceivable that the ECB-SSM, especially for those SCIs that are deemed to be “complex” may request an explanation as to why a SCI has not conducted a dry run.

Other best practices include the presence of independent observers, such as the internal audit function, a timely follow up, recurrent exercise of the dry runs (e.g. on an annual basis) and communication of the outcome to the supervisor.

Next steps for credit institutions

Although the ECB-SSM Report is aimed at improving compliance with existing requirements through more robust analytics, the move towards operationalization of the Recovery Plans may require a closer look at the role of project governance of Recovery Plan management in non-stress and stress/trigger situations as well as how these requirements interface with other regulatory initiatives, as well as with the business-as-usual risk management processes.

The Report is quite clear that the dry runs are properly prepared, periodically tested with sufficient prior communication and a realistic and timely defined scope and objective coupled with “clear ownership” by the management body of the SCI in respect of the Recovery Plans but also the dry runs are seen as a best practice principle. As a result, one would expect that this ownership needs to be evidenced by a named person but also that said person is supported and trained by suitably qualified members of the SCI’s respective governance, risk and compliance functions as well as external counsel where required.

The supervisory expectations relating to different regulatory exercises have largely been developed in silos, however, for SCIs, the required recovery planning enhancements may be a good opportunity to integrate the analytics applied across the different exercises. A holistic approach to recovery planning may require integrating risk management and stress testing, as well as linking it with the approach to capital and liquidity management, including capital and liquidity contingency plans, as well as crisis management arrangements.

The integration within the risk management framework may include taking action to embed recovery planning into the bank’s existing risk appetite and risk tolerance frameworks, as well as into the existing data aggregation and reporting structures, and incorporate recovery planning information and indicators into management information and processes.

The analysis feeding into the Recovery Plan document will need to be comprehensive, as highlighted in the analysis of the best practices on the Presentation of recovery options and Misstatement of the recovery capacity above. The feasibility of execution of the identified recovery options needs to be tested and the impact on the firm and the financial system adequately assessed and valued.

There is one more exercise that may join the suite of regulatory stress scenario exercises required by the regulators. In mid-April 2018, the press reported that certain Global Systemically Important Financial Institutions prepare solvent wind-down plans, an exercise which a number of such firms may be familiar following a number of iterations of solvent wind down plans required by the US and the UK regulators. The exercise has been used by the UK and US regulators to understand the cost of winding down a business, in particular the trading book, providing a view on the complexity and maturity of the trading book, as well as capital and liquidity implications. The ECB-SSM has not yet publicly stated whether other banks are or will be in scope of this exercise beyond those that were initially addressed. Rather frustratingly for other SCIs and other BUSIs, there is a lack of public information available, as of yet, on how the ECB-SSM’s approach compares to those of the US and UK peers even if it has become apparent that a certain amount of data items may have been duplicated.

Next steps for supervisory and resolution authorities

Just as the Report flags that recovery planning is a continuous effort for SCIs, the European Court of Auditors in their report on “The operational efficiency of the ECB’s crisis management for banks”8 (the Audit Report) suggested a number of ways in which supervisors may (improve the) use the Recovery Plan assessments in day-to-day supervision. This statement follows previous criticism that Recovery Plans are theoretical, redundant documents, whereby no evidence or assurance that a bank could realize the recovery options presented in the plan is provided.

The Audit Report provides examples of actions that can be taken by supervisors in order to improve assurance over the viability of the Recovery Plan, including on-site inspections to verify the accuracy of the data and the assumptions included in the Recovery Plan, and monitoring whether banks have taken action provided in the Recovery Plan, but without labelling it as such. In terms of crisis identification, it was recommended that the Joint Supervisory Teams have access to an automatic monitoring of the institution-specific triggers.

The coordination between the supervisory and resolution planning authorities within the Banking Union has also been identified as an area pending completion. An improved cooperation between the authorities representing the two Banking Union Pillars, including information sharing in non-crisis and crisis situations, would not only ensure that the information requests and assumptions are aligned, but also that there is an integrated approach to crisis management across the authorities.

Conclusion

Although the cross-institutional Banking Union crisis management architecture needs to be further operationalized and improved, as indicated by the Audit Report, the ECB-SSM led iterative recovery planning exercise is taking shape. Consequently for stakeholders, this merits a long-term strategic approach on the integration with business-as-usual activities, other regulatory exercises and business continuity or crisis management activities.

The ECB-SSM Report should therefore provide a helpful starting point in ensuring that the regulatory requirements are met on an on-going basis in a way that aligns with the supervisory expectations and evidencing that an implementation of the plan would be possible in a stress situation. We would expect that the ECB-SSM treat its Report as the first in a series and use it as a tool that is complementary to firm-specific supervisory engagement to improve best practice amongst firms it supervises.


1. See: https://www.bankingsupervision.europa.eu/ecb/pub/pdf/ssm.reportrecoveryplans201807.en.pdf?fa1ecc99e42320376eafda8cba80327e
2. See:https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014L0059&from=EN
3. See: Commission Delegated Regulation (EU) 2016/1075 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R1075&from=EN
4. See: https://www.eba.europa.eu/regulation-and-policy/recovery-and-resolution
5. Please see our dedicated coverage on the ECB’s new rules on cyber resilience published May 2018 available here.
6. Ideally globally active SCIs will also want to factor in results from non-ECB-SSM SREP and similar assessments as well.
7. Chart 8, page 32 of the Report.
8. https://www.eca.europa.eu/Lists/ECADocuments/SR18_02/SR_SSM2_EN.pdf 

 

Written by:

Dentons
Contact
more
less

Dentons on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.